PCI DSS Compliance Management
The Payment Card Industry Data Security Standard (PCI DSS) is a set of industry-based security standards designed to help ensure that the Processing, Storage and Transmission of credit card information is undertaken in a secure manner at all times.
The PCI DSS is the minimum level of applicable security requirements that need to be followed by relevant organisations.
Does This Apply to Me?
The PCI DSS is applicable globally to all organisations who process, storage or transmit credit card data either themselves or on behalf of other organisations. There is no minimum number of credit card transactions.
What is PCI DSS?
The PCI DSS is a set of minimum security requirements that were first published in 2006 by the PCI Security Standards Council, and designed to increase the level of cardholder data protection to help reduce the level of credit card fraud.
The PCI Security Standards Council was formed in 2006 by the major card brands, American Express, Discover, JCB International, Mastercard and Visa Inc.
How Do I Become Compliant?
Each organisation should implement the applicable PCI DSS requirements and provide annual compliance reporting in line with the nature and volume of their credit card handling. The compliance reporting can range from self-assessment questionnaires (SAQ’s) for small organisations to independent reviews for larger organisations or service providers. This reporting is done through to the relevant acquiring bank for each organisation.
What is the penalty for non-compliance with PCI DSS?
The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine along until it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicised, but they can be catastrophic to a small business. It is important to be familiar with your merchant account agreement, which should outline your exposure.
Should a credit card data breach occur, you may also be liable for forensic investigation and remediation costs and incur reputational damage as well.
Terra Firma – PCI DSS Compliance Management Services
Terra Firma is an approved PCI DSS Qualified Security Assessor (QSA) firm as authorised by the PCI Security Standards Council. Our highly experienced team offer pragmatic, common sense solutions that are tailored to your specific operational and compliance needs. We work closely with you to find the right outcomes that not just achieve compliance but maintain the compliance level going forward.
PCI DSS compliance is a business-wide undertaking which impacts people, processes and technology. We advocate a “whole of business” approach which focusses on all applicable business areas.
Our strength lies in our highly experienced people and professional advisory services. Terra Firma has an unrivalled reputation for high-quality consulting services over many years in Australia.
Our PCI DSS Compliance Services
o PCI DSS Advisory Service
Support and guidance to understand your current PCI DSS posture and the roadmap forward to compliance.
o Assisted Self-Assessment Advisory
Support and Guidance on the completion of Self-Assessment Questionnaires
o Independent Report of Compliance (RoC)
Formal assessment and reporting of PCI DSS compliance status.
o Penetration Testing (Internal and External)
Penetration testing may be required to meet your compliance obligations
o Vulnerability Scanning (Internal and External)
Vulnerability assessments may be required, using an Approved Scanning Vendor (ASV)
o Credit Card Data Discovery
You need to know what card data you have in order to manage compliance
o Firewall Configuration Assessments
Review of firewall rules and configuration against stated standard.
o Managed Compliance Service
Full management of PCI DSS compliance actions, follow-up and status reporting
o End to End PCI DSS Program Management
(Remediation strategy, Program roadmap, resource planning, solution design etc.)